Forum OpenACS Development: SMTPS for outgoing mails

Collapse
Posted by Michael Aram on
Dear community,

a client asks if OpenACS can send its outgoing mails via TLS. A quick look at the source code of acs-mail-lite shows, that it uses TCLLIBs smtp package, which seems to support it via the TLS package. So I would dare to say "yes we can". However, I think I remember that the use of TLS within AOLserver/NaviServer is discouraged for some reason.

Is the better option to try to stick with port 25 (if the client's policy allows) or can I safely affirm the support of secure SMTPS?

Thank you for your help...
Kind regards,
Michael

Collapse
Posted by Vlad V on
I'm not sure, but as variant use nginx mail ssl module http://nginx.org/en/docs/mail/ngx_mail_ssl_module.html?
Collapse
Posted by Gustaf Neumann on
AFIKT, the smtp support in the most actual tcllib (1.17) together with the most actual version of libtls (1.6.7) work fine. It supports e.g. the on-the-fly upgrade of plain text connections (port 25) to tls connections via STARTTLS. This is not suitable in cases, where you have more the 1024 concurrent open connections, in which case tcl-async io will break on most systems, due to select() limitations. We use the tcllib module with libtls in production (sending several 1000 mails per day).

The NaviServer smtp module does currently not help, since it supports currently only plain text. I have no experience with the nginx module, but both approaches require integration with acs-mail-lite.

Collapse
Posted by Antonio Pisano on
Another approach I have applied with success is to configure ACS Mail Lite to just send mail to the local smtp server (postfix or exim in my case) and let it deal with the actual sending, to a relay or by its own, and supporting encryption.

This was suggested by Maurizio Martignano some time ago, and looked like a good idea, because it moves the problem from the application to plain system administration.

Collapse
Posted by Cesareo Garci­a Rodicio on
Hi Michael

I'm using postfix too as local smtp server and TLS tested[1]. So if your client are allowed to admin an email server I think that's the best option

-----
[1] http://checktls.com/perl/TestReceiver.pl

Collapse
Posted by Michael Aram on
I ended up with the configuration you mentioned: OpenACS delivers to localhost:25, where a Postfix that is configured as a "satellite" forwards it to an SMTP server.

(I did not manage to get tcllib/tlctls to work with the client's mailserver, most probably because of issues with their "custom" certificate chain; connection testing via openssl and gnutls did work in the end, but only when pointing them to the right certificate etc... Anyhow, as using Postfix with all its bells and whistles seemed to me as the more convenient option anyway (one can easily inspect the mailqueue, has nice logging of the mailserver-communication, etc...), I decided to not go further down the tcllib road.)

Thank you all for your input!